3756470f830130a06844383075517ad5372c1d30a6d5252775bbf02796616aa3

General

Target

c1e0719e500e44e188cf744a3c5497ed_JaffaCakes118.exe
Size

1.1MB
MD5

c1e0719e500e44e188cf744a3c5497ed
SHA1

2fcbae15888b3c7e803de96409ede3d0ece80a08
SHA256

3756470f830130a06844383075517ad5372c1d30a6d5252775bbf02796616aa3
SHA512

c3bfcbcbed3c0ddaf6ca06c122b767906ae014b1e1dfe5c1fb57c997483326b935c8a281b1392fd29f5ba8bb610bcb20b2435944231f780153218f1781309f53
SSDEEP

24576:fYCufNjDeWrxGPa0tpTRnyEh+E3qDTj36DYnCFaw:fpuHGPa6TyE53qDfKDR/

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1e0719e500e44e188cf744a3c5497ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1996	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1996	MSIEXEC.EXE
Token: SeSecurityPrivilege	4708	msiexec.exe
Token: SeCreateTokenPrivilege	1996	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1996	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1996	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1996	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1996	MSIEXEC.EXE
Token: SeTcbPrivilege	1996	MSIEXEC.EXE
Token: SeSecurityPrivilege	1996	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1996	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1996	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1996	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1996	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1996	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1996	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1996	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1996	MSIEXEC.EXE
Token: SeBackupPrivilege	1996	MSIEXEC.EXE
Token: SeRestorePrivilege	1996	MSIEXEC.EXE
Token: SeShutdownPrivilege	1996	MSIEXEC.EXE
Token: SeDebugPrivilege	1996	MSIEXEC.EXE
Token: SeAuditPrivilege	1996	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1996	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1996	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1996	MSIEXEC.EXE
Token: SeUndockPrivilege	1996	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1996	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1996	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1996	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1996	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1996	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1996	1776	c1e0719e500e44e188cf744a3c5497ed_JaffaCakes118.exe	87
PID 1776 wrote to memory of 1996	1776	c1e0719e500e44e188cf744a3c5497ed_JaffaCakes118.exe	87
PID 1776 wrote to memory of 1996	1776	c1e0719e500e44e188cf744a3c5497ed_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\c1e0719e500e44e188cf744a3c5497ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1e0719e500e44e188cf744a3c5497ed_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{F087FAD0-B450-4CE2-84AD-8715E160405C}\MRUClear 1.6.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1996

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{F087FAD0-B450-4CE2-84AD-8715E160405C}\0x0409.ini

Filesize
6KB

MD5
26a9b54f250e00693773481b837e03cc

SHA1
554a407bf23984026785430e3bbdffdd1285be06

SHA256
2a5eb805543b141d77ce7192c5f7e4e10ffb56de0a5a66905c79298dfc5ffbd5

SHA512
a9f141f96f7bb498c4326cab2e846ce0715830ec86b04a311ccb0c7f3eb6adcc62ec1412cbd8d230b957cd923ab3a81af34b40294297773395d53d8aa73f9073

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F087FAD0-B450-4CE2-84AD-8715E160405C}\MRUClear 1.6.msi

Filesize
735KB

MD5
174b8284addf509e349143c4162cb2fa

SHA1
1baec64346b47760ce3226dcc499aaa8ae87669a

SHA256
764ae8ad9091443ef2ecbd1e5496ef5550efe876c61b33205bf0ceaa082f15f2

SHA512
524b77c95df939276f2c111aa577810b6912e1477649260a6178248cfafbafee7f0dc5a67e61a0144ba0f1c8e409d7a3594bfa5f0ba23e01679afccbc070379f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F087FAD0-B450-4CE2-84AD-8715E160405C}\Setup.INI

Filesize
2KB

MD5
45df1047e0ab2b878e8bed02db5af588

SHA1
56cf6216a167465aba4c929de463229fc99b0ac8

SHA256
a86dafd17ce2503e53f22b043deaa91b5b0748d102eda20f5a90f59431c38b64

SHA512
40f6f97f7345ed2b8329b2bec6dc22883fabef4d70aba6f93063f63cdf931e6609ae6bcc9228f9eeeda6ad3e87e31dabd802017824182ebb74a6f4beb203db0d

Download Submit

Analysis

Sharing